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Abstract — The  increasing  availability  and  use  of  biomet¬ 
ric  data  for  authentication  and  other  purposes  leads  to 
situations  when  sensitive  biometric  data  is  to  be  handled 
or  used  in  computation  by  entities  who  may  not  be  fully 
trusted  or  otherwise  authorized  to  have  full  access  to  such 
data.  This  calls  for  mechanisms  of  provably  protecting 
biometric  data  while  still  allowing  the  computation  to  take 
place.  In  this  work,  we  treat  the  problem  of  privacy- 
preserving  matching  of  two  fingerprints,  which  can  be 
used  for  secure  fingerprint  authentication  and  identifica¬ 
tion.  We  utilize  traditional  minutia-based  representation 
of  fingerprints  that  leads  to  the  most  discriminative  (i.e., 
accurate)  fingerprint  comparisons.  Unlike  prior  work,  we 
design  a  data-oblivious  algorithm  that  results  in  the  most 
accurate  outcome  of  fingerprint  matching  through  a  more 
complex  minutia  pairing  approach  based  on  maximum  flow 
in  bipartite  graphs.  This  algorithm  then  leads  to  secure 
fingerprint  matching  solutions  of  high  security  standards. 
The  complexity  of  our  solution  is  higher  than  those  of  some 
other  available  protocols,  but  nevertheless  we  show  that  our 
techniques  still  efficiently  compare  two  fingerprints  with 
provable  security  guarantees.  That  is,  they  run  in  a  similar 
amount  of  time  to  those  with  simpler  matching  mechanisms 
which  are  not  guaranteed  to  find  the  best  matching. 


I.  Introduction 

Biometric  authentication  and  other  uses  of  biometric 
data  are  becoming  more  prevalent  today  in  a  vari¬ 
ety  of  applications,  which  was  prompted  in  part  by 
recent  advances  in  biometric  recognition.  Large-scale 
collections  of  biometric  data  in  use  today  include,  for 
example,  fingerprint,  face,  and  iris  images  collected 
by  the  US  Department  of  Homeland  Security  (DHS) 
from  visitors  [27];  fingerprint  and  iris  images  collected 
by  the  government  of  India  from  (more  than  billion) 
citizens  [34];  iris,  fingerprint,  and  face  images  collected 
by  the  United  Arab  Emirates  (UAE)  Ministry  of  Interior 
from  visitors  [36];  and  adoption  of  biometric  passports  in 
several  countries.  It  is  evident  that  biometric  authentica¬ 
tion  and  identification  have  advantages  over  alternative 
mechanisms  such  as  good  accuracy  and  unforgeability 
of  biometry.  Biometric  data,  however,  is  highly  sensitive 
and,  once  leaked,  cannot  be  revoked  or  replaced.  This 


calls  for  stringent  protection  of  biometric  data  while  at 
rest  and  when  used  in  applications. 

The  above  means  that  biometric  data  cannot  be  easily 
shared  between  organizations  or  agencies,  but  there  are 
often  legitimate  reasons  for  computing  with  biometric 
data  that  belong  to  different  entities.  As  an  example,  a 
private  investigator  can  be  interested  in  knowing  whether 
a  biometric  she  captured  appears  in  the  government’s 
criminal  database,  but  without  disclosing  the  biometric 
if  no  matches  are  found.  Similarly,  two  organizations 
or  collaborating  governments  might  want  to  determine 
which  individuals,  if  any,  appear  simultaneously  in  their 
respective  databases  without  revealing  any  additional 
information.  A  solution  to  enabling  such  computation 
while  protecting  privacy  of  the  data  is  to  employ  secure 
multi-party  computation  techniques,  which  compute  the 
result  without  disclosing  any  additional  information. 

In  this  work  we  focus  on  fingerprint  data  due  to 
popularity  and  good  accuracy  of  this  type  of  biometry. 
We  formulate  the  problem  of  private,  or  secure,  finger¬ 
print  matching  as  follows:  one  party  A  possesses  private 
fingerprint  X  and  another  party  B  possesses  another 
private  fingerprint  Y .  The  parties  would  like  to  know 
whether  the  fingerprints  they  possess  correspond  to  the 
same  individual.  In  the  above  formulation,  this  is  the 
problem  of  biometric  authentication.  More  generally, 
one  of  the  parties,  say,  party  B  can  be  in  possession 
of  a  database  D.  Then  the  computation  consists  of 
securely  comparing  AT  to  all  U  G  D  and  identifying 
the  biometrics  that  matched  (if  any),  which  is  known 
as  the  problem  of  biometric  identification.  There  also 
could  be  variants  to  this  computation  such  as  outputting 
at  most  one  index  from  the  database  that  corresponds 
to  the  biometric  with  the  smallest  distance  among  all 
biometrics  that  matched  the  query.  Such  variants  can  be 
easily  derived  from  a  solution  that  compares  two  finger¬ 
prints  and  we  thus  primarily  concentrate  on  techniques 
for  comparing  two  fingerprints  X  and  Y.  We  also  note 
that  the  solution  we  develop  can  be  used  in  other  settings 
such  as  outsourcing  the  computation  to  third  parties  by 
one  or  more  data  owners  as  no  information  about  the  data 
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is  revealed  throughout  the  computation.  For  concreteness 
of  presentation,  we,  however,  adhere  to  the  two-party 
formulation  of  the  problem. 

Prior  literature  such  as  [8],  [9],  [30]  already  con¬ 
tains  solutions  for  secure  fingerprint  matching.  What, 
however,  distinguishes  our  work  from  prior  results  is 
achieving  a  high  level  of  accuracy  while  maintaining 
efficiency  of  the  algorithm.  In  particular,  a  minutia- 
based  fingerprint  representation  consists  of  a  number 
of  minutiae  points  in  a  two-dimensional  space  together 
with  their  orientation.  Matching  of  points  from  one 
fingerprint  with  points  from  another  fingerprint  consists 
of  computing  Euclidean  distances  and  angle  difference 
between  the  points  and  marking  two  points  as  a  possible 
match  if  both  distances  are  within  certain  thresholds. 
The  next  step  consists  of  pairing  points  from  X  with 
“possible  match”  points  from  Y  and  the  number  of 
points  that  could  be  paired  together  determines  whether 
the  fingerprints  were  a  match  or  not.  A  simple  way  to 
determine  the  pairing  is  to  associate  a  point  from  X  to 
the  closest  point  from  Y  that  has  not  already  been  paired 
with  another  point  from  X.  A  more  involved  algorithm, 
on  the  other  hand,  would  try  to  find  a  pairing  of  the 
largest  possible  size,  where  a  point  from  X  is  paired  with 
a  “possible  match”  point  from  Y,  but  not  necessarily  the 
closest  to  it.  This  results  in  more  accurate  matching  of 
two  fingerprints,  but  incurs  higher  computational  cost. 

The  latter  approach  has  not  been  explored  in  security 
literature  and  requires  new  techniques  for  secure  pro¬ 
cessing  of  the  data.  We  note  that  the  new  techniques 
are  necessary  even  if  a  general-purpose  mechanism  for 
securing  computation  (such  as  garbled  circuits  or  secret 
sharing)  are  to  be  used.  In  this  work,  we  reduce  the 
problem  to  that  of  computing  the  size  of  maximum  flow 
in  a  flow  network  and  build  techniques  for  solving  it 
in  secure  computation  context.  Beyond  application  of 
the  solution  to  fingerprint  matching,  the  algorithm  may 
be  applicable  to  other  domains  and  be  of  independent 
interest.  Despite  higher  complexity  of  the  algorithm,  we 
show  through  experimental  evaluation  that  the  solution 
nevertheless  offers  fast  performance. 

II.  Related  Work 

Work  on  secure  multi-party  computation  was  initiated 
in  Yao’s  seminal  work  [38]  that  showed  that  any  com¬ 
putable  function  can  be  securely  evaluated  by  represent¬ 
ing  it  as  a  boolean  circuit.  Since  then  a  large  number 
of  both  general  and  special-purpose  techniques  followed 
and  their  overview  is  beyond  the  scope  of  this  work.  We 
thus  mention  only  the  most  relevant  results.  There  are 
currently  a  number  of  recent  tools  and  compilers  (such  as 
Fairplay  [23],  VIFF  [11],  Sharemind  [10],  PICCO  [39], 
and  others),  which  can  securely  evaluate  functions  on 
private  data  in  a  variety  of  settings. 


In  the  context  of  biometric  matching,  results  available 
today  include  work  on  secure  face  recognition  ([12], 
[29]  and  others),  DNA  matching  ([35],  [6],  and  others), 
iris  code  comparisons  ([9],  [7]),  fingerprint  comparisons 
([2],  [8],  [30]),  and  speaker  authentication  ([28],  [1]). 
Each  biometric  type  has  a  unique  representation  and  the 
corresponding  algorithm  for  comparing  two  biometrics, 
which  prompted  the  need  to  design  separate  solutions 
for  different  biometric  modalities. 

The  first  privacy-preserving  protocol  for  fingerprint 
identification  is  due  to  Barni  et  al.  [2]  who  utilize  the 
so-called  FingerCode  approach  [18]  for  comparing  two 
fingerprints  and  built  a  solution  using  a  homomorphic 
encryption  scheme.  FingerCodes  use  texture  information 
from  a  fingerprint  to  compare  two  biometrics.  The  algo¬ 
rithm  is  not  as  discriminative  as  fingerprint  matching 
techniques  based  on  location  of  minutiae  points,  but 
it  was  chosen  by  the  authors  as  particularly  suited  for 
efficient  realization  in  the  privacy-preserving  framework. 
While  the  use  of  FingerCodes  can  result  in  fast  com¬ 
parisons  of  fingerprints,  the  approach  is  not  suitable  for 
biometric  identification. 

Blanton  and  Gasti  [8],  [9]  provide  privacy-preserving 
protocols  for  both  FingerCode  and  minutia-based  finger¬ 
print  representation.  Their  solution  utilizes  a  combina¬ 
tion  of  homomorphic  encryption  and  garbled  circuit  eval¬ 
uation.  In  the  minutia-based  approach,  each  fingerprint 
X  is  represented  as  a  point  in  a  2-dimensional  space 
together  with  its  orientation.  To  compare  fingerprints  X 
and  Y  consisting  of  mx  and  my  minutiae,  respectively, 
the  solution  in  [8]  proceeds  by  first  computing  the 
adjacency  matrix  of  size  mxmy,  which  indicates  which 
points  from  X  and  Y  are  a  possible  match.  That  is, 
the  cell  at  row  i  and  column  j  is  set  if  the  spatial 
(Euclidean)  distance  between  point  i  'm  X  and  point  j 
in  Y  as  well  as  the  difference  in  their  orientation  are 
within  specific  thresholds.  Then  the  algorithm  proceeds 
by  considering  each  minutia  i  of  in  turn  matching 
it  with  the  closest  unmatched  minutia  j  in  Y  among 
those  which  are  set  as  a  possible  match  in  the  adjacency 
matrix.  At  the  end,  the  size  of  the  computed  matching 
is  compared  to  the  threshold  to  determine  whether  the 
fingerprints  should  be  treated  as  related  or  not.  As 
mentioned  before,  this  approach  may  fail  to  find  the  best 
matching  for  the  input  fingerprint  and  thus  produce  an 
incorrect  result,  and  we  use  it  as  the  starting  point  for 
our  solution.  The  complexity  of  the  approach  from  [8] 
for  two  biometrics  X  and  Y  consisting  of  mx  and  my 
minutiae,  respectively,  is  0{mxmy). 

Fastly,  Shahandashti  et  al.  [30]  design  a  privacy¬ 
preserving  protocol  for  minutia-based  fingerprint  match¬ 
ing  using  homomorphic  encryption.  As  before,  each 
fingerprint  consists  of  a  number  of  minutiae,  but  with  this 
solution  each  minutia  contains  its  type  (in  addition  to  its 
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location  and  orientation)  and  the  types  of  two  minutiae 
must  match  for  two  minutiae  to  be  considered  as  a 
possible  match.  The  computation  is  based  on  evaluation 
of  polynomials  in  encrypted  form  and  a  pair  of  minutiae 
i  G  X  and  j  G  Y  are  added  to  the  matching  if  they 
are  a  possible  match.  Note  that  the  computation  is  not 
accurate  and  introduces  an  error  every  time  a  minutia 
from  X  or  Y  has  more  than  one  possible  match.  The 
complexity  of  the  solution  from  [30]  is  dominated  by 
0{mxmY{\T\  +  \DE\  +  \Da\))  cryptographic  operations, 
where  |r|  is  the  number  of  minutia  types,  \De\  is  the 
set  of  all  possible  squared  Euclidean  distances  between 
two  points  (i.e.,  if  Xmax  and  ymax  are  maximum  x 
and  y  coordinates,  respectively,  then  \De\  =  x'^^^  + 
Umax  +  1’  and  \Da\  is  the  set  of  all  possible  squared 
angular  distances  between  point  orientations.  Because 
the  complexity  is  quadratic  in  the  domain  size  for  point 
representation,  this  approach  is  quite  bit  slower  than 
others  for  a  typical  set  of  parameters. 

III.  Problem  Description 
A.  Fingerprint  background 

Fingerprint  identification  is  a  well-studied  area  with  a 
number  of  available  approaches  [24].  The  most  popular 
and  widely  used  techniques  extract  information  about 
minutiae  from  a  fingerprint  and  store  that  information 
as  a  set  of  points  in  the  two-dimensional  plane.  Fin¬ 
gerprint  matching  then  consists  of  finding  a  match¬ 
ing  between  two  sets  of  points  so  that  the  number 
of  minutiae  pairings  is  maximized.  In  more  detail,  a 
biometric  X  is  represented  as  a  set  of  mx  points 
X  ((xi ,  )) .  A  minutia 

=  {xi,yi,ai)  in  and  minutia  Yj  = 
in  Y  are  considered  matching  if  the  spatial  (Euclidean) 
distance  between  them  is  smaller  than  a  given  threshold 
do  and  the  orientation  difference  between  them  is  smaller 
than  a  given  threshold  ag.  In  other  words,  the  matching 
condition  is  computed  as: 

y (x'j  -  XiY  -f  (y'  -  y^Y  <  do  A  (1) 

min(|a'  —  ai|,360°  —  |a'  —  a^l)  <  ao- 

The  tolerance  values  do  and  ao  are  necessary  to  account 
for  errors  introduced  by  feature  extraction  algorithms 
(e.g.,  quantizing)  and  small  skin  distortions.  Two  points 
within  a  single  fingerprint  are  also  assumed  to  lie  within 
at  least  distance  do  of  each  other. 

Before  two  fingerprints  can  be  compared,  they  need 
to  be  pre-aligned,  which  maximizes  the  number  of 
matching  minutiae.  Alignment  can  be  either  absolute,  in 
which  case  each  fingerprint  is  pre-aligned  independently 
using  the  core  point  or  other  information,  or  relative,  in 
which  case  information  contained  in  the  two  biometrics 
is  used  to  guide  their  alignment  relative  to  each  other. 


While  relative  pre-alignment  can  be  more  accurate  that 
absolute  pre-alignment,  such  techniques  are  not  feasible 
to  implement  in  a  privacy-preserving  protocol,  and  we 
assume  that  absolute  pre-alignment  is  used.  To  increase 
the  accuracy  of  the  matching  process,  a  single  fingerprint 
can  be  stored  using  a  small  number  of  slightly  different 
alignments,  and  the  result  of  the  comparison  is  a  match 
if  at  least  one  of  them  matches  the  queried  biometric. 
A  more  detailed  treatment  of  alignment  procedures  is 
outside  the  scope  of  this  work. 

A  simple  way  used  for  determining  a  pairing  between 
minutiae  of  fingerprints  X  and  Y  consists  of  pairing  a 
minutia  Xi  with  the  closest  minutia  Yj  in  Y  that  satisfies 
the  matching  constraint  and  which  has  not  already  been 
paired  with  another  minutia  in  Y.  That  is,  the  pairing 
function  considers  all  minutiae  Xi  from  X  in  turn 
and  for  each  Xi  finds  the  closest  Yj  that  satisfies  the 
matching  predicate  in  equation  1  and  which  has  not 
been  paired  with  another  minutia  from  X.  If  no  such 
minutia  Yj  from  Y  exists,  Xi  is  not  added  to  the  pairing. 
We  denote  the  result  of  applying  the  minutia  matching 
predicate  in  equation  1  to  minutiae  Xi  G  X  and  Yj  G  Y 
by  mm{Xi,  Yj). 

This  approach  was  used  in  prior  privacy-preserving 
fingerprint  matching  solutions,  but  it  does  not  find  the 
optimum  assignment  (i.e.,  the  one  that  maximizes  the 
number  of  mates).  That  is,  there  are  circumstances  when 
a  minutia  Xi  should  be  paired  with  another  minutia 
Yj,  which  is  not  the  closest  to  Xi,  to  result  in  an 
assignment  of  the  largest  size.  According  to  fingerprint 
literature  [19],  [37],  the  optimum  pairing  can  be  achieved 
by  formulating  the  problem  as  an  instance  of  minimum- 
cost  maximum  flow,  where  fingerprints  X  and  Y  are 
used  to  create  a  flow  network.  In  particular,  to  represent 
fingerprints  X  and  F  as  a  flow  network,  we  form  a 
bipartite  graph  in  which  minutia  points  from  X  and 
Y  form  the  nodes  of  the  first  and  second  partitions, 
respectively.  The  set  of  edges  is  created  as  follows:  there 
is  an  edge  from  a  node  corresponding  to  minutia  Xi  G  X 
to  Yj  G  Y  iff  mm{Xi,Yj)  =  1.  To  use  the  resulting 
bipartite  graph  as  a  flow  network,  we  create  an  additional 
source  node  s  and  connect  it  to  all  nodes  from  X  using 
(directional)  edges  of  capacity  1.  Similarly,  we  create  a 
sink  node  and  connect  each  node  from  Y  to  the  sink 
node  t  using  edges  of  capacity  1.  Then  each  edge  from 
Xi  to  Yj  also  has  capacity  1  (in  one  direction  only).  We 
refer  the  reader  to  [19],  [37]  for  additional  detail. 

The  problem  fingerprint  problem  in  the  maximum 
flow  formulation  can  be  solved  using  one  of  the  known 
algorithms  such  as  Ford-Fulkerson  [13]  and  others.  For 
fingerprints  consisting  of  m  minutiae,  the  optimal  pairing 
can  be  found  in  0{m?')  time  using  Ford-Fulkerson 
algorithm  because  each  minutia  from  X  is  connected 
to  at  most  a  constant  number  of  minutiae  from  Y .  In 
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a  privacy-preserving  setting,  however,  when  information 
about  connections  between  minutiae  in  X  and  Y  (and 
thus  the  structure  of  the  graph)  must  remain  private,  the 
complexity  of  this  approach  based  on  Ford-Fulkerson 
algorithm  increases  at  least  by  a  factor  m.  Finding  a 
pairing  of  optimal  size  was  considered  impractical  in  [8], 
but  in  this  work  we  show  that  with  the  techniques  we 
develop,  performance  of  fingerprint  comparisons  can  be 
comparable  or  faster  than  performance  of  simpler  and 
less  accurate  fingerprint  comparisons  given  in  [8]  (which 
is  currently  the  fastest  solution  for  secure  minutia-based 
fingerprint  matching). 

Throughout  this  work,  we  assume  that  in  order  for  two 
fingerprints  X  and  Y  to  result  in  a  match,  the  number 
of  paired  minutiae  needs  to  exceed  a  fixed  (known  to 
all  parties)  threshold  T  (which  can  be  a  function  of  the 
number  of  minutiae  in  X  and  Y,  but  is  fixed  once  the 
sizes  are  known). ^ 

B.  Security  model 

In  this  work,  we  use  standard  security  models  for 
secure  multi-party  computation.  We  primarily  focus  on 
security  in  presence  of  semi-honest  participants  (also, 
honest-but-curious  or  passive),  but  our  solutions  can  also 
be  extended  to  achieve  stronger  security  in  presence  of 
fully  malicious  (or  active)  adversaries.  In  particular,  the 
semi-honest  setting  means  that  the  parties  follow  the  pre¬ 
scribed  behavior,  but  might  try  to  compute  additional  in¬ 
formation  from  the  information  obtained  during  protocol 
execution.  Recall  that  it  is  required  that  the  participants 
do  not  learn  anything  about  private  input  data  beyond 
the  agreed-upon  output.  Consequently,  security  in  this 
setting  is  defined  using  simulation  argument:  the  protocol 
is  secure  if  the  view  of  protocol  execution  for  each  party 
is  computationally  or  information-theoretically  indistin¬ 
guishable  from  the  view  simulated  using  that  party’s 
input  and  output  only.  This  implies  that  the  protocol 
execution  does  not  reveal  any  additional  information 
to  the  participants.  The  definition  below  formalizes  the 
notion  of  security  for  semi-honest  participants: 

Definition  1.  Let  parties  Pi, . . .,  engage  in  a  protocol 
n  that  computes  function  /(irii, . . .,  in„)  =  (outi,..., 
out„),  where  in^  and  outi  denote  the  input  and  output 
of  Pi,  respectively.  Let  VIEWn(Pi)  denote  the  view  of 
Pi  during  the  execution  of  protocol  If.  More  precisely. 
Pi ’s  view  is  formed  by  its  input,  internal  random  coin 
tosses  Ti,  and  messages  passed  between 

the  parties  during  protocol  execution:  VIEWn(Pi)  = 
{ini, n, mi,  ■  ■  ■,mk).  Let  I  =  {Pi^,Pi2, . .  .,Pit}  denote 
a  subset  of  the  parties  for  t  <  n  and  VIEWn(f^)  denote 

’  In  the  event  that  the  value  of  T  comes  from  one  of  the  participants 
and  needs  to  be  protected,  the  solution  can  be  easily  modified  to 
compute  with  private  T. 


the  combined  view  of  parties  in  I  during  the  execution  of 
n  (i.e.,  the  union  of  the  views  of  the  parties  in  I).  We  say 
that  protocol  If  is  t-private  in  presence  of  semi-honest 
adversaries  if  for  each  coalition  of  size  at  most  t  there 
exists  a  probabilistic  polynomial  time  simulator  Sj  such 
that  {S'/(in/,/(ini,...,in„)}  =  {VIEWn(/), out/}, 
where  in/  =  Up  = 

denotes  computational  or  information-theoretic  indistin- 
guishability. 

Note  that  we  choose  to  present  a  general  definition 
for  n  parties  who  carry  out  the  computation.  For  the 
problem  we  study,  the  most  common  setting  is  going  to 
be  n  =  2  and  thus  t  =  1.  We,  however,  would  like  to 
offer  a  solution  that  works  for  n  >  2  and  is  also  suitable 
for  outsourcing  to  multiple  computational  nodes. 

The  second  standard,  and  stronger,  security  model  as¬ 
sumes  the  participants  can  be  fully  malicious  and  thus  al¬ 
lows  them  to  behave  arbitrarily  including  deviating  from 
the  computation  and  aborting  the  execution.  Security  in 
this  setting  is  shown  using  a  different  security  definition, 
which  we  omit  here  due  to  space  considerations  and 
instead  refer  the  reader,  e.g.,  to  [14]. 

IV.  Working  Toward  the  Solution 

Before  we  start  working  our  way  to  a  solution,  we 
note  that  our  objective  now  is  to  solve  the  maximum  flow 
problem  in  a  flow  network  formed  by  two  fingerprints 
X  and  Y.  An  important  observation  here  is  that  this 
is  a  graph  problem,  but  the  structure  of  the  graph  (i.e., 
information  about  connectivity  of  nodes  from  X  to  nodes 
from  Y)  must  be  hidden  from  all  parties.  This  calls  for  a 
solution  known  as  data-oblivious  in  the  literature.  Data- 
oblivious  execution  is  defined  as  having  the  sequence 
of  instructions  and  memory  accessed  to  be  independent 
of  the  data  on  which  the  computation  is  performed. 
Such  a  solution  can  be  either  deterministic,  in  which 
case  the  sequence  of  executed  instructions  and  memory 
accesses  are  always  the  same  regardless  of  the  data,  or 
probabilistic,  in  which  case  their  distributions  must  be 
indistinguishable  for  all  possible  inputs. 

In  the  search  for  an  approach  suitable  for  solving 
the  maximum  flow  problem  in  a  data-oblivious  way, 
we  chose  to  concentrate  on  solutions  that  work  with 
adjacency  matrix  representation  of  the  graph.  Note  that 
because  our  graph  is  bipartite,  we  only  need  to  consider 
an  approach  that  works  for  a  bipartite  graph  and  not 
necessarily  for  a  general  graph. 

Our  starting  point  was  the  work  of  Mucha  and 
Sankowski  [25]  that  presents  a  randomized  algorithm  for 
finding  maximum  matching  in  an  n-node  graph  in  C>(n“) 
time,  where  oj  is  the  exponent  of  the  best  known  matrix 
multiplication  algorithm  and  currently  w  <  2.38.  The 
solution  of  [25]  assumes  that  a  perfect  matching  of  size 
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n/2  is  present,  which  it  will  compute.  This  is  not  the  case 
for  our  application,  and  to  use  this  solution  on  a  graph 
without  perfect  matching,  we  need  to  resort  to  techniques 
of  Ibarra  and  Moran  [16]  (which  are  applicable  to 
bipartite  graphs  only).  The  most  crucial  result  listed  in 
[25]  that  we  need  is  due  to  Lovasz  [22]  and  can  be  stated 
as  follows:  Let  G  =  {V,U,E)  be  a  bipartite  graph  with 
nodes  V  U  U  and  edges  E,  where  \V\  =  \U\  =  nj^, 
V  =  {vi, . .  and  U  =  {ui, . . .,  m„/2}.  Let  an 

adjacency  matrix  A  =  A{G)  be  formed  by  setting  Ai^ 
to  a  random  value  from  the  set  for  some  R  if 

{vi,Uj)  G  E  and  to  0  otherwise.  Then  the  rank  of  A 
is  at  most  the  size  of  the  maximum  matching,  where 
the  equality  holds  with  probability  at  least  1  —  {n/2R). 
This  means  that  if  the  bitlength  of  R  is  set  according 
to  a  correctness  parameter,  the  rank  will  be  equal  to  the 
size  of  the  maximum  matching  with  all  but  at  most  a 
negligible  probability  (in  the  correctness  parameter). 

Note  that  in  our  application  it  is  not  necessary  to 
compute  the  matching  itself  and  instead  the  size  of  the 
pairing  of  points  from  X  and  Y  is  sufficient  to  determine 
if  X  and  Y  result  in  a  match.  This  means  that  if  we 
determine  the  rank  of  the  matrix  formed  as  described 
above,  we  will  be  able  to  compute  the  answer  to  the 
question  whether  two  fingerprints  are  related  or  not. 

The  next  step  is  to  compute  the  rank  of  A.  A  standard 
way  to  achieve  this  is  to  apply  Gaussian  elimination 
(LU  decomposition)  to  A.  The  simplest  algorithm  for 
doing  so  runs  in  0{n^)  time  for  an  n  x  n  matrix  and 
asymptotically  lower  solutions  (of  the  same  complexity 
as  that  of  matrix  multiplication)  are  possible.  Before 
we  proceed  with  further  discussion,  we  include  a  (non- 
secure)  solution  of  complexity  Oin^)  based  on  Gaussian 
elimination.  When  it  is  applied  to  biometrics  X  and  Y 
with  mx  and  my  minutiae,  respectively,  its  complexity 
is  0{m\mY)  assuming  that  mx  <  rny. 

Note  that  the  first  step  of  fingerprint  matching  based 
on  rank  computation  using  any  approach  consists  of 
computing  the  randomized  adjacency  matrix.  Because 
this  pre-processing  step  is  common  to  all  solutions,  we 

separately  present  it  in  Algorithm  1.  In  the  algorithm, 
R 

notation  z  ^  S  denotes  that  the  value  of  z  is  chosen 
uniformly  at  random  from  set  S. 

The  Gaussian  elimination  algorithm  that  takes  the 
resulting  adjacency  matrix  A  and  converts  it  to  a  row 
echelon  form  is  given  in  Algorithm  2.  It  assumes  that 
mx  <  mv;  otherwise,  the  roles  of  X  and  Y  are 
swapped.  Following  [16],  after  forming  adjacency  matrix 
A,  we  carry  out  all  operations  in  a  field  (of  size  R)  in 
this  and  other  algorithms.  That  is,  we  treat  the  matrix  as 
consisting  of  random  field  elements  and  all  consecutive 
operations  are  in  a  field  (which  in  particular  is  the  reason 
for  using  multiplicative  inverse  in  place  of  division).  We 
present  the  simplest  version  of  the  Gaussian  elimination 


Algorithm  1  A  =  AdjMat(A  =  {xi,yi,ai)i<i<jnx^ 

1:  for  i  =  0,. . mx  do 
2:  for  j  =  0, . . .,  my  do 

3:  if  <  do)  A 

(min(|a'  —  a^l,  360°  —  |a'  —  ai\)  <  ao)  then 
4:  A,j  =  1; 

5:  else 

6:  Aij  =  0; 

7:  end  if 

8:  Tij  <—  [1,  i?]; 

9:  ^ij  —  1 

10:  end  for 

11:  end  for 
12:  return  A; 


Algorithm  2  B  =  GE(A  =  ) 

1:  for  i  =  1, . . mx  do 
2:  for  j  =  i  +  1, . . mx  do 

3:  for  k  =  i,. . my  do 

4:  ~  -^jk  ^ik  *  *  ^ji 

5:  end  for 

6:  end  for 

7:  end  for 


algorithm  that  works  only  for  invertible  matrices  (with 
mx  =  my)  and  which  results  in  a  matrix  with  only 
non-zero  entries  on  the  diagonal  formed  by  elements  An 
and  zero  elements  below  the  diagonal.  In  a  more  general 
case,  some  of  the  matrix  rows  or  columns  may  either  be 
initially  zero  or  become  zero  during  the  execution  of  the 
algorithm,  and  the  matrix  does  not  have  to  be  square. 
In  those  cases,  during  the  ith  iteration,  the  algoriffim 
may  swap  row  i  +  1  with  another  row  at  a  higher  index 
so  that  row  i  +  \  contains  a  non-zero  element  at  the 
leftmost  position  (or  lowest  column  index)  among  all 
rows  with  indices  i  +  1  and  higher.  This  implies  that 
a  column  will  be  “skipped”  if  all  of  its  entries  below 
row  i  are  zero  (i.e.,  the  computation  will  be  of  the  form 
Ajk  =  Ajk— Aik-  A~^^  ■  Ajt  for  t  >  i).  We  note  that  in  our 
application  of  fingerprint  matching  the  adjacency  matrix 
is  likely  to  contain  a  large  number  of  zero  elements 
and  we  need  to  use  the  general  algorithm  for  arbitrary 
matrices.  Then  the  rank  of  the  matrix  is  computed  as  the 
number  of  non-zero  rows  (or  columns)  once  the  matrix 
has  been  converted  to  a  row  echelon  form. 

Lastly,  we  note  that  in  the  traditional  setting,  when 
some  rows  and/or  columns  are  initially  zero,  they  can 
be  eliminated  from  the  matrix  before  the  algorithm  is 
executed  because  such  rows/columns  cannot  contribute 
to  the  matrix  rank.  This  reduces  complexity  of  the 
algorithm  for  sparse  matrices  in  the  regular  setting,  but 
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cannot  be  used  in  the  context  of  secure  computation. 
This  is  because  the  size  of  the  resulting  matrix  is  likely 
to  reveal  information  about  the  size  of  the  matching. 

Returning  to  our  prior  discussion  of  rank  computation, 
recall  that  the  asymptotic  complexity  of  rank  computa¬ 
tion  can  be  lower  (the  same  as  that  of  matrix  multiplica¬ 
tion).  Upon  examining  alternative  matrix  multiplication 
algorithms  of  sub-cubic  time,  we  came  to  the  conclusion 
that  only  Strassen’s  algorithm  [33]  has  practical  impor¬ 
tance  to  matrices  those  size  is  not  huge.  The  complexity 
of  such  an  algorithm  is  0(n*°®2  '^)  «  for 

an  n  X  n  matrix  and  it  would  give  us  a  solution  that 
runs  in  time.  While  this  algorithm  has 

reduced  numerical  stability,  it  is  not  an  issue  when 
the  computation  is  carried  out  in  a  finite  field  (i.e.,  on 
integers  without  rounding  errors). 

The  original  Strassen’s  algorithm  proposed  in  [33] 
is  applicable  only  to  invertible  matrices.  Solodovnikov 
[32]  later  showed  how  the  algorithm  can  be  extended 
for  solving  an  arbitrary  system  of  equations  or  finding 
the  rank  of  an  arbitrary  matrix,  which  can  be  used  as 
a  starting  point  for  a  secure  solution.  The  algorithm  is 
rather  complex  involving  several  matrix  transformations 
and  produces  matrices  the  size  of  which  determines  the 
rank.  We  note  that  it  is  possible  to  make  the  algorithm 
oblivious  (the  most  important  change  will  be  to  force 
matrices  to  always  be  of  the  same  size  by  padding  them 
with  dummy  rows  or  columns  when  necessary),  but  we 
choose  not  to  expand  on  this  further  due  to  the  limited 
applicability  of  the  algorithm  to  fingerprint  data.  In  par¬ 
ticular,  Strassen’s  matrix  multiplication  outperforms  the 
standard  matrix  multiplication  of  cubic  complexity  on 
matrices  with  sizes  100  and  higher  for  each  dimension, 
but  the  number  of  minutiae  in  a  fingerprint  (which  will 
define  the  matrix  size)  is  normally  much  lower. 

To  fully  explore  our  options,  we  consider  another 
approach  that  uses  Gram-Schmidt  orthogonalization  pro¬ 
cess  for  computation  of  the  rank  of  a  matrix.  In  par¬ 
ticular,  Gram-Schmidt  process  takes  a  set  of  vectors 
{xi,...,x„}  and  produces  an  orthogonal  set  of  basis 
vectors  {yj^, . .  .,y„}  that  span  the  same  subspace  as  the 
original  vectors  (i.e.,  the  basis  for  spanjxi, . .  .,x„}). 
The  algorithm  proceeds  with  re-expressing  all  x^’s  in 
terms  of  new  orthogonal  basis  starting  from  Xi.  It  starts 


by  setting  yj^  =  Xi  and  for  i  =  2,  ...,n  computes 
yt  =  Xi  -  I]}=iProjy^(xi).  Here  projy^.(xj)  denotes 
orthogonal  projection  of  vector  Xi  onto  the  line  spanned 


by  vector  y^  and  thus  projy  (xi)  is  the  orthogonal 

projection  of  Xi+i  onto  spanjy^, . . . ,  y^}.  The  projection 

operator  is  defined  as  proj^  (xi)  =  7— -^^y,,  where 

(y^xy,)  ' 

(xi ,  y^ )  denotes  the  inner  product  of  vectors  Xi  and  y^ . 


Also,  when  y^  =  0,  projy  (xi)  =  0  for  any  vector  Xi.  If 


we  treat  vectors  Xi’s  collectively  as  a  matrix  and  apply 


Algorithm  3  rank  =  GSRank({Aij}i<j<m^,i<y<m.j,) 

1:  for  i  =  1, . . .,  mx  do 

2:  for  j  =  1, . . .,  my  do 

4:  end  for 

5:  end  for 

6:  for  1  =  2,...,  mx  do 
7:  for  j  =  1, . . .,  i  —  1  do 

8:  set  ztj  =  \/^Ji  Bij 

9:  if  {ztj  7^  0)  then 

10:  set  (y^-,y^-)  =  Y.kZi{Bjkf  and  (x„y^-)  = 

11:  for  fc  =  1, . . .,  my  do 

12:  set  Bik  —  Bik  {^i  j}  {y  j  j}  Bjk 

13:  end  for 

14:  end  if 

15:  end  for 

16:  end  for 

17:  set  rank  =  0; 

18:  for  1  =  1,...,  mx  do 
19:  if  {zti  Z  0)  then 

20:  rank  =  rank  +  1; 

21:  end  if 

22:  end  for 
23:  return  rank 


Gram-Schmidt  process  to  it  to  obtain  another  matrix 
formed  by  vectors  y/s,  then  the  number  of  non-zero 
yi’s  will  correspond  to  the  rank  of  the  matrix.  We  provide 
our  rank  computation  algorithm  in  a  finite  field  based  on 
Gram-Schmidt  process  in  Algorithm  3.  In  the  algorithm, 
lines  1-16  correspond  to  the  Gram-Schmidt  process  and 
lines  17-22  count  non-zero  rows  in  the  resulting  matrix. 
The  variable  ztj  tests  whether  vector  y^  contains  at  least 
one  non-zero  element.  If  y^  is  zero,  then  any  projection 
projy^  is  zero  and  y^  does  not  need  to  be  modified 
(which  corresponds  to  skipping  lines  10-13  when  ztj 
is  zero).  As  before,  we  assume  that  mx  <  "my,  and  the 
algorithm’s  complexity  is  0{m\my). 

Lastly,  we  note  that  with  finite  precision  arithmetic 
the  algorithm  can  be  unstable.  This,  however,  is  not  an 
issue  for  us  because  we  use  precise  computation  in  a 
field.  The  use  of  field  operations,  however,  may  introduce 
an  error  which  is  specific  to  that  type  of  arithmetic.  In 
particular,  for  a  non-zero  vector  y^,  it  is  possible  that 
with  a  small  probability  (y^,  y^)  will  evaluate  to  0  on  line 
10  of  the  algorithm.  The  probability  of  this  happening 
in  any  given  round  of  computation  can  be  shown  to  be 
less  than  1/i?.  If  this  however  happens,  it  means  that  the 
inverse  (y^  ,  y^)'^  is  not  going  to  exist  and  an  error  may 
be  introduced  into  the  result  (i.e.,  the  computed  rank  may 
be  off  by  1).  To  eliminate  the  error,  we  suggest  that  the 
value  of  {yj,yj)  is  compared  to  0  after  its  computation 
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Algorithm  4  A  =  AdjMat(A  =  (xi,yi,ai}i<i<mx’ 

^  ~  (^i>  ViJ 

1:  for  1  =  0,...,  mx  do 
2:  for  j  =  0, . . .,  my  do 

3:  Cl  =  ((x'  -  Xi)'^  +  {y'j  -  yif  <  (do^); 

7 

4:  C2  =  (a*  >  a'); 

5:  ai  =  Ui  —  Of' ; 

6:  02  =  —  CXf, 

7:  03  =  C2  •  Oi  +  (1  —  €2)0,2', 

7 

8:  C3  =  (03  <  Qfo); 

7 

9:  C4  =  ((360  —  03)  <  ao); 


10 

c  = 

Cl 

A  (C3  V  C4); 

11 

nj 

R 

3— 

12 

Aij 

= 

C-Tij', 

13 

end  for 

14 

end  for 

on  line  10.  If  it  is  0  at  any  iteration  of  the  algorithm,  then 
the  algorithm  can  be  restarted  using  new  randomness  in 
forming  A.  Note  that  because  of  the  small  probability  of 
this  happening,  the  expected  number  of  times  that  this 
algorithm  will  have  to  be  restarted  is  near  0. 

V.  Oblivious  Fingerprint  Matching 
Algorithms 

In  order  to  design  a  secure  solution  for  the  fingerprint 
matching  problem,  we  need  to  ensure  that  all  parts  of 
the  computation  can  be  performed  obliviously.  This, 
in  particular,  implies  that  both  branches  of  conditional 
statements  will  always  be  executed  and  the  values  will 
be  set  based  on  the  result  of  evaluating  the  condition.  In 
particular,  statements  of  the  type 

if  (cond)  then  a  =  vi  else  a  =  V2 
will  be  transformed  into  evaluating  the  condition  cond 

first  and  then  setting 

a  =  cond-vi  +  {l  —  cond)  ■V2  =  {cond/\vi)\/  {cond/\V2) 

(2) 

Here,  V  and  A  denote  bitwise  OR  and  AND,  respec¬ 
tively.  Then,  for  instance,  oblivious  computation  of 
the  adjacency  matrix  A  can  be  performed  as  given  in 
Algorithm  4.  For  performance  reasons,  we  eliminate 
square  root  computation  when  computing  the  Euclidean 
distance  (instead,  squared  distance  is  used).  Also,  03 
corresponds  to  \ai  —  a' |  and  (03  V  C4)  corresponds  to 

7 

min(|a'  —  Q;i|,360°  —  \a'j  —  ai\)  <  ag. 

Modifying  rank  computation  algorithms,  however,  re¬ 
quires  more  significant  changes  to  the  way  the  compu¬ 
tation  is  carried  out.  In  what  follows,  we  describe  the 
intuition  behind  our  solutions  for  rank  determination  and 
also  provide  their  detailed  description. 


A.  Rank  determination  using  Gaussian  elimination 

When  working  on  Gaussian  elimination  algorithm 
suitable  for  secure  processing,  a  major  issue  we  have  to 
overcome  is  to  make  the  execution  oblivious  in  presence 
of  zero  rows  and  columns.  That  is,  regardless  of  having 
zero  columns  (that  need  to  be  skipped)  or  zero  rows 
(that  need  to  be  swapped),  we  want  the  algorithm  to 
always  execute  the  same  instructions  and  always  access 
the  same  matrix  cells.  For  that  reason,  at  each  iteration  of 
the  solution,  we  choose  to  push  all  zero  columns  to  the 
right  and  all  zero  rows  to  the  bottom.  This  will  allow  us 
to  work  with  row  i  and  column  i  during  the  ith  iteration 
of  the  algorithm  (assuming  that  some  non-zero  row  and 
column  still  remain  at  iteration  i).  Furthermore,  once 
all  non-zero  rows  and  columns  have  been  processed, 
we  cannot  reveal  this  fact  and  have  to  continue  the 
computation  without  affecting  correctness  of  the  result. 

To  realize  swapping  of  zero  rows  and  columns  in 
an  oblivious  way,  we  utilize  data-oblivious  compaction. 
Compaction  of  a  sequence  of  values  allows  one  to  move 
all  non-zero  elements  to  the  beginning  and  thus  any  zero 
element  will  appear  only  after  all  non-zero  elements. 
Our  goal  of  pushing  zero  columns  and  rows  to  the  end 
can  also  be  achieved  by  using  oblivious  sorting,  but  we 
choose  compaction  for  performance  reasons.  Thus,  as 
the  first  step  of  each  iteration  i,  we  compute  whether 
any  given  (partial)  row  and  column  at  position  i  and 
higher  contains  at  least  a  single  non-zero  element.  Note 
that  we  only  need  to  consider  matrix  elements  with  both 
row  and  column  indices  i  and  higher  and  this  is  why  only 
a  part  of  each  row  and  column  is  checked.  For  example, 
for  row  j  >  i  only  cells  at  position  i  <  k  <  my  can  be 
non-zero  and  are  checked.  Similarly,  for  column  j  >  i 
only  cells  at  rows  i  <  k  <  mx  are  relevant  and  checked. 
After  this  step,  all  zero  rows  and  columns  are  pushed  to 
the  end  using  oblivious  compaction. 

At  this  point  we  have  that  the  current  row  and  column 
(with  index  i)  have  at  least  one  non-zero  element,  but 
the  algorithm  requires  that  the  leading  coefficient  of 
the  (partial)  current  row  i  is  non-zero.  To  satisfy  this 
constraint,  we  add  all  rows  with  index  i  +  \  and  higher 
to  the  current  row  i.  This  has  no  effect  on  correctness  of 
the  computation  (and  is  a  common  operation  in  Gaussian 
elimination),  but  ensures  that  the  matrix  element  An  is 
non-zero.  This  is  because  when  (partial)  column  i  has  at 
least  one  non-zero  element,  the  probability  that  the  sum 
of  its  elements  (which  are  random  values  from  the  range 
[l,i?])  results  in  0  is  \/R.  Thus,  with  overwhelming 
probability  (in  the  bitlength  of  R)  An  ^  0  when 
(partial)  column  i  has  at  least  one  non-zero  element  and 
correctness  of  the  computation  is  preserved. 

The  only  part  of  the  algorithm  that  remains  to  be 
modified  for  oblivious  execution  is  ensuring  that  the 
computation  can  proceed  in  exactly  the  same  way  once 
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all  non-zero  rows  and  columns  have  already  been  pro¬ 
cessed.  That  is,  for  some  iteration  of  the  algorithm  i  we 
will  have  that  all  remaining  (partial)  rows  and  columns 
are  zero.  To  ensure  that  the  algorithm  can  execute  exactly 
the  same  steps  without  revealing  this  fact  and  affecting 
correctness  of  the  computation,  the  only  place  we  have 
to  modify  is  computation  of  the  inverse  of  An.  Because 
when  An  =  0,  it  does  not  have  a  multiplicative  inverse, 
we  set  An  to  1  in  that  case.  Then  because  1“^  =  1, 
multiplying  any  value  by  1“^  will  have  no  effect.  To 
ensure  that  An  is  unchanged  when  An  ^  0,  we  set  An 
to  An  +  c,  where  c  is  the  result  of  comparing  An  to  0. 

The  overall  oblivious  algorithm  for  computing  over- 
the-threshold  matrix  rank  based  on  Gaussian  elimination 
is  given  in  Algorithm  5.  Lines  2-5  and  7-10  compute 
row  and  column  flags,  respectively,  that  indicate  whether 
the  (partial)  rows  or  columns  consist  of  only  zero  ele¬ 
ments.  These  flags  are  used  in  row-wise  and  column¬ 
wise  compaction  on  lines  6  and  11,  respectively.  Lines 
12-16  update  row  i  to  ensure  that  its  leading  element  is 
non-zero  if  non-zero  rows  still  remain.  Line  17  adjusts 
the  element  An  for  the  purpose  of  computing  its  inverse 
as  described  above.  Next,  lines  18-23  compute  the  ith 
iteration  of  Gaussian  elimination.  After  executing  lines 
1-24,  matrix  A  is  in  a  row  echelon  form  and  all  that 
remains  is  to  compute  its  rank  by  adding  the  number  of 
non-zero  elements  on  the  diagonal  An-  This  is  performed 
on  lines  25-28.  Lastly,  the  algorithm  compares  the 
computed  rank  to  some  predefined  threshold  (which  is 
assumed  to  be  a  constant  for  given  input  sizes)  and 
outputs  a  bit,  which  indicates  whether  the  compared 
biometrics  should  be  treated  as  a  match. 

To  realize  oblivious  compaction,  we  utilize  the  general 
approach  of  tight  order-preserving  compaction  algorithm 
from  [15],  which  was  subsequently  used  in  the  secure 
multi-party  computation  framework  in  [5].  The  algorithm 
proceeds  in  log2  n  rounds  for  a  sequence  of  n  values. 
At  round  i  (for  0  <  z  <  logn  —  1),  an  element  at 
position  j  is  either  obliviously  moved  2*  elements  left 
or  is  not  moved  at  all.  The  former  happens  when  the 
zth  least  significant  bit  in  the  number  count  j  of  zero 
elements  that  precede  the  element  at  position  j  is  1. 
We  refer  the  reader  for  additional  details  regarding  the 
algorithm  to  [15],  [5]  and  provide  our  realization  of  it 
with  new  optimizations  in  Algorithm  6.  It  is  written  for 
the  special  case  when  the  input  consists  of  1-bit  elements 
and  moves  all  non-zero  elements  to  the  beginning  of  the 
input  sequence.  When  this  algorithm  is  used  for  rank 
computation  in  Algorithm  5,  it  will  still  take  1-bit  keys 
rj  or  Cj  according  to  which  the  values  need  to  be  moved, 
but  instead  of  moving  individual  elements,  the  entire 
(partial)  rows  or  columns  are  moved. 

In  the  most  general  case,  the  element  Xj  at  position 
j  is  either  kept  unchanged  or  replaced  with  element  at 


Algorithm  5  6  =  OTGERank({Ay ) 

1:  for  z  =  1, . . .,  mx  —  1  do 
2:  for  j  =  i, . . mx  do 

3:  Set  rowflagj  =  Ajk', 

? 

4:  Set  Xj  =  (rowflagj  ^  0); 

5:  end  for 

6:  Use  compaction  to  “sort”  partial  rows  z, . . .,  mx 

using  keys  rj,  where  row  j  is  (Aji, . . .,  Aj^y),  so 
that  all  rows  with  r,  =  0  are  moved  to  the  bottom 
of  A. 

7:  for  j  =  i,. . my  do 

8:  Set  colflagj  =  vr=i  Akj', 

? 

9:  Set  Cj  =  (colflagj  ^  0); 

10:  end  for 

11:  Use  compaction  to  “sort”  partial  columns 

i,...,mY  using  keys  cj,  where  column  j  is 
(Aij, . . Amxj),  so  that  all  columns  with  Cj  =  0 
are  moved  to  the  right  of  A. 

12:  for  j  =  z  -f  1, . . .,  mx  do 

13:  for  k  =  i,. . my  do 

14:  Set  Ajj.  =  Ajfc  +  Aji~', 

15:  end  for 

16:  end  for 

17:  Set  An  =  An  +  {An  =  0); 

18:  Compute  Ajj^; 

19:  for  j  =  z  -I- 1, . . .,  mx  do 

20:  for  k  =  i,. . my  do 

21:  Set  Ajk  =  Ajk  -  Aik  •  A-^  ■  A^,; 

22:  end  for 

23:  end  for 

24:  end  for 

25:  Set  ranksum  =  0; 

26:  for  z  =  1, . . .,  mx  do 

? 

27:  Set  ranksum  =  ranksum  -T  {An  7^  0); 

28:  end  for 

? 

29:  Compute  and  return  6  =  (ranksum  <  T); 


position  j  +  2*  at  the  zth  iteration  of  the  algorithm.  This 
corresponds  to  the  computation  xj  =  (1  —  bij)xj  + 
bij+2'  ■  Xjy2'^  where  bij  represents  the  zth  least  sig¬ 
nificant  bit  of  count  j  and  at  most  one  of  Xj  and  Xjy2' 
is  non-zero  at  any  given  time.  When,  however,  j  +  2* 
exceeds  the  total  number  of  elements,  Xj  is  either  kept 
or  erased,  i.e.,  Xj  =  {l  —  bij)xj.  In  addition,  for  the  first 
2®  —  1  elements  of  the  sequence,  bij  is  always  0,  which 
means  that  we  do  not  need  to  multiply  Xj  by  (1  —  6^^). 
This  logic  is  presented  on  lines  8-13  of  the  algorithm. 

The  complexity  of  the  oblivious  compaction  algorithm 
on  which  we  build  is  0(n  log  rz)  for  an  rz-element 
input.  In  our  case,  each  invocation  of  compaction  is 
executed  on  mx  —  z  +  1  rows  (resp.,  my  —  z  -f  1 
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Algorithm  6  {yi, . .  .,yn)  =  Cotnp((a:i, . .  .,Xn}) 

1:  count  I  =  I  —  xi; 

2:  tor  i  =  2, . .  .,n  do 
3:  counti  =  counti-i  +  1  — 

4:  end  for 

5:  Let  bij  denote  the  ith  least  significant  bit  of  count j 
for  j  =  1, . . n  and  i  =  0, . . [logn]  —  1 
6:  for  1  =  0,...,  [logn]  —  1  do 

7:  for  j  =  1, . . .,  n  do 

8:  if  j  >  2*  then 

9:  Xj  =  (1  —  bij)xj', 

10:  end  if 

11:  if  7  +  2*  <  n  then 

12:  Xj  =  Xj  + 

13:  end  if 

14:  end  for 

15:  end  for 

16:  Return  (xi, . . .,  x„); 


columns)  each  of  size  my  —  i  +  1  (resp.,  mx  —  i  +  1). 
This  gives  us  that  the  total  cost  of  compaction  at  all 
iterations  i  of  the  algorithm  is  0{m^mY  log  mx)  for 
rows  and  C)(TO^TOy  logmy)  columns.  This  dominates 
the  algorithm’s  complexity,  as  the  remaining  work  is 
0{m\mY).  However,  according  to  our  experimental 
results  in  section  VII,  the  cost  of  compaction  is  small 
compared  to  the  remaining  computation  (e.g.,  the  cost  of 
multiplying  two  elements  of  the  field  is  noticeably  higher 
than  the  cost  of  moving  an  element  multiple  times). 

B.  Rank  determination  using  Gram-Schmidt  process 

To  obtain  a  data-oblivious  algorithm  for  matrix  rank 
computation  based  on  the  Gram-Schmidt  process,  we  no¬ 
tice  that  the  only  computation  that  is  not  data-oblivious 
in  the  conventional  approach  in  Algorithm  3  is  the 
conditional  statement  on  lines  9-14.  To  eliminate  this 
conditional  logic,  we  can  use  a  similar  mechanism  to 
that  utilized  in  oblivious  rank  computation  based  on 
Gaussian  elimination.  That  is,  when  vector  is  zero, 
so  is  {yj,yj),  in  which  case  we  set  {yj,yj)  to  1.  Then 
the  inverse  of  1  is  always  computable  (and  equal  to  1), 
but  the  projection  is  still  0  because  all  elements  of 
are  0  (and  thus  {xi,yj)  is  also  0). 

As  discussed  in  section  IV,  there  is  a  small  possibility 
that  {yj,yj)  =  0  when  y^  is  non-zero.  Then  to  ensure 
that  the  algorithm  always  computes  the  result  correctly, 
we  would  like  to  implement  error  reporting,  which  will 
notify  the  parties  that  the  result  may  be  unreliable  and 
let  them  restart  the  execution  using  new  randomness 
for  the  adjacency  matrix.  Note  that  unlike  non-oblivious 
execution,  we  cannot  report  the  error  at  the  point  of  its 
occurence  because  the  fact  that  an  error  happened  can 


Algorithm  7  6  =  OTGSRank({Ay}i<i<m^,i<j<„y ) 


1 

for  i  =  1,. . mx  do 

2 

for  j  =  1, . . .,  my  do 

3 

Ft  —  4  • 

^ 

4 

end  for 

5 

end  for 

6 

set  error  =  0 

7 

for  1  =  2,...,  mx  do 

8 

compute  zti  =  (VjL^i  Bij  =  0) 

9 

compute  (y,,yj  = 

10 

7 

compute  6  =  {{yi,yi)  =  0)  and 

set  {yi,y^)  +  b 

11 

set  error  =  error  -f  (1  —  zti)b{l 

—  error) 

12 

compute  (y„y,)"^ 

13 

for  j  =  1, . . .,  i  —  1  do 

14 

compute  (xi,  y^)  =  Y.T=i 

Bjk 

15 

for  fc  =  1, . . .,  my  do 

16 

set  B^k  =  B,k  -  {xi,yj){y^ 

,yj)~^Bjk 

17 

end  for 

18 

end  for 

19 

end  for 

20 

set  ranksum  =  0; 

21 

for  1  =  1,...,  mx  do 

22 

ranksum  =  ranksum  +  ztp, 

23 

end  for 

7 

24 

Set  6  =  (ranksum  <  T); 

25 

return  (1  —  error)6  -1-  2  •  error; 

reveal  unintended  information.  For  instance,  if  an  error 
is  reported  during  iteration  i  of  the  algorithm,  at  the 
very  least,  the  participants  will  learn  that  the  ith  row 
of  the  adjacency  matrix  was  non-zero,  which  cannot  be 

deduced  from  the  output  that  the  parties  learn.  Thus,  the 
computation  needs  to  proceed  until  the  end  even  if  an 
error  is  detected,  and  the  error  is  returned  at  the  end 
of  the  computation  by  outputting  a  special  value.  Once 
again,  the  probability  of  the  error  happening  is  negligi¬ 
ble  in  the  correctness  parameter  (which  determines  the 
bitlength  of  the  field  elements),  which  means  that  the 
computation  almost  never  will  need  to  be  restarted. 

We  provide  our  data-oblivious  algorithm  for  over-the- 
threshold  rank  computation  based  on  Gram-Schmidt  pro¬ 
cess  in  Algorithm  7.  The  algorithm  is  structured  in  such 
a  way  as  to  minimize  the  overall  amount  of  computation; 
namely,  any  quantity  used  in  the  computation  multiple 
times  without  being  modified  in  between  is  computed 
only  once.  In  particular,  because  row  i  is  updated  only 
during  iteration  i  of  the  loop,  each  y^  is  updated  only 
once  and  we  can  take  the  computation  of  (y^  ,  y^  )  and  its 
inverse  outside  of  the  loop  over  j  and  instead  compute 
(yj,yj)  once  for  each  i. 

The  algorithm  checks  whether  (y^jy^)  =  0  and  if  so, 
sets  it  to  1.  Also,  if  y^  is  non-zero,  but  {yi,yi)  =  0, 
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an  error  is  set.  We  maintain  that  variable  error  is  a  bit, 
which  after  being  set  to  1  remains  1  until  the  end  of  the 
algorithm.  That  is,  its  value  is  incremented  (from  0  to  1) 
only  when  the  current  row  is  non-zero,  =  0, 

and  error  is  currently  0  (line  11).  The  algorithm  outputs 
either  0,  1,  or  2.  In  the  exceptional  case  of  when  the 
error  was  set,  the  algorithm  outputs  2.  Otherwise,  either 
0  or  1  is  returned  based  on  the  result  of  the  computation. 

VI.  Secure  Fingerprint  Matching  Protocols 

The  data-oblivious  fingerprint  matching  algorithms 
presented  above  lead  us  to  secure  realization  of  this  func¬ 
tionality  in  the  secure  multi-party  computation  frame¬ 
work.  In  particular,  because  the  execution  is  now  data- 
oblivious,  we  can  combine  it  with  one  of  the  available 
secure  arithmetic  techniques  to  result  in  protocols  that 
provably  protect  privacy  of  biometric  data.  We  outline 
two  such  possibilities. 

The  first  solution  that  we  list  is  to  employ  two- 
party  garbled  circuit  evaluation  techniques  (originally 
proposed  in  [38]).  This  technique  represents  the  function 
to  be  evaluated  as  a  Boolean  circuit  and  allows  one 
participant,  circuit  generator,  to  encode  the  circuit  using 
two  random  labels  for  each  (binary)  wire.  Then  the  sec¬ 
ond  participant,  circuit  evaluator,  evaluates  the  garbled 
circuit  on  private  inputs  in  a  way  that  it  sees  the  labels 
used  during  function  evaluation,  but  their  meaning  (i.e., 
0  or  1)  is  not  known  to  that  party.  After  the  evaluator 
computes  the  labels  for  the  output  wires,  it  sends  them  to 
the  circuit  generator,  who  determines  their  meaning  and 
(optionally)  announces  the  output  to  the  second  party. 
To  choose  labels  corresponding  to  the  private  inputs,  the 
parties  engage  in  Oblivious  Transfer  (OT),  as  a  result  of 
which  the  evaluator  obtains  labels  corresponding  to  its 
inputs  and  the  other  party  learns  nothing.  This  allows  the 
evaluator  to  obtain  labels  for  its  private  inputs  and  labels 
for  the  circuit  generator’s  inputs  are  sent  directly  to  the 
evaluator  (who  does  not  know  their  meaning).  There  are 
many  available  OT  realizations  and  their  extensions  such 
as,  e.g.,  [26]  and  [17]. 

Theorem  1.  Assuming  the  existence  of  secure  garbled 
circuit  evaluation  techniques  and  oblivious  transfer,  our 
algorithms  result  in  1 -private  protocols  for  fingerprint 
matching  with  two  participants  Pi  and  P2- 

Proof.  Given  secure  implementation  of  garbled  circuit 
evaluation  and  OT,  two  participants  can  1 -privately  eval¬ 
uation  any  function  /  on  their  private  inputs  ini  and  in2 
and  learn  outputs  outi  and  out2,  respectively.  The  only 
part  that  has  to  be  shown  is  that  the  function  can  be 
represented  as  a  Boolean  circuit.  We  specify  our  algo¬ 
rithms  using  a  data-independent  sequence  of  instructions 
consisting  of  Boolean  and  integer  operations,  which  have 
known  Boolean  circuit  representations.  This  means  that 


the  functions  can  be  securely  evaluated  in  the  garbled 
circuit  framework,  resulting  in  1 -private  protocols  for 
fingerprint  matching.  □ 

The  second  technique  that  we  suggest  to  use  is  thresh¬ 
old  linear  secret  sharing  in  the  multi-party  setting  (such 
as  Shamir’s  secret  sharing  [31]).  It  allows  n  >  2  parties 
to  securely  evaluate  a  function  on  shares  of  private  data. 
Then  before  the  computation  commences,  all  private  data 
are  split  into  shares  and  the  shares  are  distributed  among 
the  computational  parties  who  carry  out  the  computation 
on  protected  data.  After  the  computation,  the  shares  of 
the  result  are  communicated  to  the  participants  who 
are  entitled  to  learning  the  result  and  reconstruct  the 
output  from  the  shares.  Note  that  in  this  formulation,  the 
participants  who  provide  the  data  do  not  have  to  coincide 
with  computational  parties,  but  rather  the  set  of  input 
providers,  output  recipients,  and  computational  parties 
can  be  arbitrary  with  respect  to  their  relationship  to  each 
other.  This  makes  the  framework  suitable  for  a  variety 
of  settings  including  secure  computation  outsourcing  by 
one  or  more  clients  to  a  number  of  servers. 

With  linear  secret  sharing  techniques,  any  linear  com¬ 
bination  of  secret  shared  data  is  computed  locally  by 
each  participant,  but  multiplication  requires  their  interac¬ 
tion  and  constitutes  a  basic  (interactive)  building  block  of 
larger  computations.  With  (n,  f) -threshold  linear  secret 
sharing  techniques,  each  private  value  is  split  into  n 
shares  (and  distributed  to  n  participants)  such  that  t  or 
fewer  shares  information-theoretically  reveal  no  informa¬ 
tion  about  the  shared  value,  while  t-\-l  shares  allow  the 
value  to  be  reconstructed.  For  semi-honest  participants, 
it  is  typically  the  case  that  t  <  nj^.  Any  function  can 
be  expressed  in  this  framework,  and  optimized  designs 
of  commonly  used  operations  are  available. 

Theorem  2.  Assuming  the  existence  of  secure  {n,t)- 
threshold  linear  secret  sharing  scheme,  our  algorithms 
result  in  t-private  protocols  for  fingerprint  matching  with 
n  participants  and  t  <  nj2. 

The  argument  for  this  proof  proceeds  in  the  same  way 
as  for  Theorem  1 :  because  our  are  oblivious,  the  straight¬ 
forward  application  of  threshold  linear  secret  sharing 
techniques  results  in  secure  protocols  for  fingerprint 
matching  in  the  multi-party  setting. 

For  both  two-party  techniques  based  on  garbled  circuit 
evaluation  and  multi-party  techniques  based  on  secret 
sharing,  there  are  general  mechanisms  for  converting 
solutions  secure  in  the  semi-honest  model  to  solutions 
resilient  to  fully  malicious  behavior  in  the  stronger 
malicious  adversarial  model  (see,  e.g.,  [21]  for  garbled 
circuits  and  [3]  for  secret  sharing  among  many  others). 
This  means  that  if  we  apply  such  techniques  to  our 
computation,  we  automatically  obtain  protocols  secure 
in  the  malicious  model.  We  omit  the  details  here. 
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VII.  Implementation  and  Pereormance 

To  evaluate  performance  of  our  techniques,  we  im¬ 
plement  our  oblivious  fingerprint  matching  algorithms 
using  both  Gaussian  elimination  and  Gram-Schmidt 
approaches  in  a  secure  computation  framework.  Our 
implementation  is  based  on  two-party  garbled  circuit 
evaluation  and  utilizes  a  tool  called  JustGarble  [4]  for 
efficient  circuit  garbling  and  garbled  circuit  evaluation. 

We  build  Boolean  circuits  for  Algorithms  5  and  7  with 
optimizations  tailored  to  specifics  of  modern  garbling 
techniques.  In  particular,  recent  garbled  circuit-based 
techniques  allow  for  XOR  gates  to  be  implemented 
without  any  use  of  cryptographic  operations,  which 
allows  XOR  gates  to  become  virtually  free  [20].  This 
means  that  a  circuit  that  minimizes  the  use  of  non- 
XOR  gates  will  have  performance  advantages  over  other 
circuits  of  comparable  size  with  smaller  percentage  of 
XOR  gates.  One  specific  optimization  that  we  were  able 
to  apply  is  minimizing  the  number  of  non-XOR  gates 
in  evaluation  of  conditional  statements.  In  detail,  recall 
that  conditional  statements  are  re-written  as  given  in 
equation  2.  The  second  formula  expressed  in  terms  of 
Boolean  operations  is  more  suitable  for  use  in  Boolean 
circuits,  but  we  also  notice  that  the  bitwise  OR  operation 
can  be  replaced  with  bitwise  XOR  operation.  This  is  due 
to  the  fact  that  at  most  one  clause  (i.e.,  cAui  or  cAv2)  can 
be  non-zero  at  any  time  and  thus  XOR  would  accomplish 
the  same  functionality  as  OR  or  addition.  This  applies  to 
computation  in  all  of  Algorithms  5,  6,  and  7.  Also  note 
that  in  compaction  algorithm  extracting  individual  bits 
of  counts  requires  no  computation  because  of  bitwise 
representation  of  all  values. 

We  measure  performance  of  the  algorithms  for  differ¬ 
ent  numbers  of  minutiae  in  fingerprints  being  compared 
and  different  values  of  the  correctness  parameter.  We 
varied  the  number  of  minutiae  in  both  fingerprints  from 
10  to  30  and  also  varied  the  size  of  the  field  F/f  with  R’s 
bitlength  ranging  from  10  to  20.  Recall  that  according 
to  [22],  the  probability  that  the  rank  of  a  randomized 
adjacency  matrix  is  not  equal  to  the  size  of  the  maximum 
matching  is  at  most  n/R  for  n-minitia  fingerprints. 
This  means  that  in  our  experiments  the  probability 
that  the  result  is  incorrect  is  approximately  between 
<  n/10^  and  <  n/10®.  In  the  implementation,  we 
assume  that  coordinates  Xi,yi  of  each  minutia  point  are 
represented  in  a  2-dimensional  space  of  size  250  x  250 
(i.e.,  Xi,yi  G  [0,249])  and  thus  the  bitlength  of  each 
coordinate  is  8.  Then  angle  is  provided  in  degrees 
from  space  [0,  359]  and  thus  each  is  represented  using 
9  bits.  In  our  experiments,  circuits  with  30  million  gates 
and  larger  were  divided  into  sub-circuits  as  the  current 
implementation  of  JustGarble  requires  that  the  entire 
circuit  resides  in  memory  for  garbling/evaluation.  All 
experiments  were  run  on  a  3.2  GHz  machine  with  Red 


Hat  Linux  and  4GB  of  memory  and  are  given  in  Table  I. 
Each  experiment  was  run  100  times,  and  the  double 
median  (i.e.,  the  median  of  10  medians)  is  reported. 

In  Table  I,  Tq  denotes  the  time  it  takes  to  garble  the 
circuit  measured  in  the  average  number  of  CPU  cycles 
per  gate  (as  in  [4]).  Similarly,  Tg  indicates  evaluation 
time,  also  measured  in  the  number  of  CPU  cycles  per 
gate.  We  also  provide  the  total  number  of  gates  for  each 
circuit.  Note  that  the  number  of  cycles  per  gate  can  vary 
in  different  circuits,  which  at  least  in  part  is  due  to  the 
fact  that  circuits  can  contain  different  percentage  of  XOR 
gates  (which  require  substantially  less  work  to  create 
and  evaluate  than  other  gates).  From  Table  I,  we  can 
often  see  a  slight  increase  in  the  per-gate  runtimes  as  the 
number  of  minutiae  in  fingerprints  increases  and  a  slight 
decrease  in  the  runtimes  as  the  correctness  parameter 
decreases.  This  perhaps  can  be  explained  by  the  varying 
composition  of  the  circuits  between  XOR  and  non- 
XOR  gates.  For  example,  when  the  security  parameter 
increases,  a  larger  portion  of  the  circuit  corresponds  to 
field  operations  that  have  a  higher  percentage  of  XOR 
gates  than  other  operations.  For  two  circuits  of  the  same 
sizes,  we  also  observed  that  paritioning  a  circuit  into 
small  pieces  results  in  slightly  faster  per-gate  times, 
which  is  likely  due  to  improved  cache  performance.  We 
can  see  from  the  table  that  the  circuits  corresponding 
to  the  GE  solution  are  by  a  factor  of  2-3  are  smaller 
than  circuits  corresponding  to  the  GS  solution.  This  is 
likely  due  to  a  larger  number  of  field  operations  (while 
the  structure  of  the  algorithms  is  similar). 

We  note  that  the  overall  execution  consists  of  circuit 
garbling,  oblivious  transfer  for  one  of  the  parties’  in¬ 
puts,  and  garbled  circuit  evaluation.  Circuit  garbling  and 
transfer  of  garlbed  circuit  can  typically  be  performed  in 
advance,  assuming  that  the  sizes  of  inputs  are  known. 
Similarly,  the  most  expensive  portion  of  OT  (which  uses 
public-key  operations)  can  be  performed  in  advance. 
This  means  that  the  online  phase  will  consist  of  garbled 
circuit  evaluation  and  communication  of  inputs  associ¬ 
ated  with  the  remaining  portion  of  OT.  Using  the  OT 
extension  from  [17],  the  number  of  public -key  operations 
associated  with  any  number  of  OT  invocations  is  reduced 
to  approximately  k,  where  k  is  the  security  parameter 
(on  the  order  of  96-128).  Furthermore,  all  these  public- 
key  operations  can  be  performed  in  the  offline  phase 
and  the  online  phase  involves  only  communicating  a 
number  of  bits  linear  in  the  number  of  inputs  the  circuit 
evaluator  has  and  performing  a  similar  number  of  hash 
function  operations.  Recall  that  in  our  application  the 
number  of  inputs  for  each  party  is  the  number  of  bits  in 
fingerprint  representation  (i.e.,  25mx  or  25my),  which 
is  very  small  compared  to  the  size  of  the  computation. 
This  means  that  the  cost  of  OT  will  not  have  a  noticeable 
impact  on  the  overall  runtime  of  our  solution. 
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Biometric 

Correctness 

GE  Scheme 

GS  Scheme 

size 

parameter 

To 

Te 

Gates 

Tg 

Te 

Gates 

10 

81.80 

50.49 

1,843,602 

81.24 

51.84 

3,830,374 

10  minutiae 

15 

81.30 

52.12 

4,307,707 

80.69 

52.70 

8,818,644 

20 

80.66 

53.02 

8,392,862 

80.74 

53.32 

16,450,214 

10 

84.05 

53.18 

5,238,622 

81.27 

53.03 

11,798,434 

15  minutiae 

15 

83.18 

53.37 

11,496,802 

81.72 

53.68 

26,427,929 

20 

82.35 

53.92 

21,156,282 

81.03 

53.71 

47,858,974 

10 

85.29 

53.91 

11,543,713 

82.96 

54.00 

26,865,777 

20  minutiae 

15 

84.33 

54.16 

24,619,823 

81.44 

53.32 

59,565,747 

20 

83.15 

54.25 

43,964,983 

80.46 

53.29 

106,524,267 

10 

85.99 

54.85 

21,741,388 

83.27 

54.03 

51,343,112 

25  minutiae 

15 

85.25 

54.57 

45,690,373 

81.67 

53.50 

113,323,432 

20 

82.77 

53.80 

80,226,158 

81.44 

53.23 

201,405,552 

10 

87.14 

54.74 

36,796,263 

82.93 

53.96 

87,541,197 

30  minutiae 

15 

85.05 

54.12 

76,695,248 

81.56 

53.75 

192,792,367 

20 

82.85 

53.56 

133,311,283 

81.32 

53.63 

341,462,337 

TABLE  I 

Performance  of  fingerprint  matching  using  JustGarble  based  on  Gaussian  Elimination  (GE)  or  Gram-Schmidt  (GS) 

APPROACHES. 


Fig.  1.  Performance  of  garbled  circuit  evaluation  for  fingerprint 
matching. 


To  provide  additional  information  about  runtime  of 
our  privacy-preserving  fingerprint  identification  proto¬ 
cols,  we  translate  the  numbers  from  Table  I  into  execu¬ 
tion  times.  In  Figure  1,  we  report  circuit  evaluation  times 
for  experiments  with  15  and  20  minutiae.  The  runtimes 
were  computed  from  the  circuit  sizes,  per-gate  evaluation 
times,  and  the  machine’s  clock  rate.  We  can  see  that  the 
runtimes  are  on  the  order  of  a  second  or  less,  which  is 
an  acceptable  delay  for  fingerprint  authentication. 

Before  we  conclude  this  section,  we  would  like  to 
comment  on  the  performance  of  our  solution  compared 
to  performance  of  other  secure  fingerprint  matching  pro¬ 
tocols.  As  mentioned  earlier,  the  only  secure  fingerprint 
matching  protocols  that  use  minutia  representations  we 
are  aware  of  are  those  from  [8]  and  [30].  They  are  based 
on  pairing  a  minutia  with  the  closest  possible  match 
minutia  and  all  possible  match  minutiae,  respectively, 
which  does  not  guarantee  an  accurate  result  and  requires 


substantially  less  work.  Implementation  results  are  only 
given  in  [8]  and  the  runtimes  are  similar  to  what  we 
obtain  in  our  solution.  (And  while  no  implementation 
results  were  reported  in  [30],  we  anticipate  that  per¬ 
formance  of  that  solution  will  be  substantially  slower 
than  the  solution  from  [8].)  The  computation  in  [8]  was 
structured  as  comparing  fingerprint  X  to  a  number  of 
fingerprints  F  in  a  database  D.  This  incurs  a  one-time 
cost  (per  X)  and  a  recurring  cost  per  record  Y  in  D.  This 
means  that  if  we  compare  X  to  a  single  fingerpring  Y, 
the  one-time  cost  will  still  be  present.  For  fingerprints 
consisting  of  20  minutiae,  [8]  reports  about  5  seconds  of 
offline  work  per  Y  (total  for  both  parties)  and  about  4 
more  seconds  for  one-time  offline  work.  The  online  work 
is  approximately  0.85  second  per  Y.  We  note  that  our 
solution  requires  even  lower  overall  work  for  the  same 
fingerprint  sizes,  but  the  online  work  may  be  higher  for 
large  values  of  the  correctness  parameter.  If  we  increase 
the  number  of  minutia  points  in  a  fingerprint,  the  runtime 
of  our  solution  is  expected  to  increase  more  rapidly  than 
the  runtime  of  the  solution  from  [8]  because  of  higher 
complexity  of  the  algorithm  we  use. 

VIII.  Conclusions 

This  work  investigates  privacy-preserving  fingerprint 
matching  in  secure  computation  framework.  We  ex¬ 
plore  fingerprint  matching  approaches  based  on  standard 
minutia-based  representation  of  fingerprints  and  settle  on 
the  most  accurate  algorithm  which  models  the  problem 
as  a  flow  network  in  bipartite  graphs  and  is  guaranteed 
to  find  a  matching  of  maximal  size.  We  show  how  the 
problem  can  be  solved  using  rank  computation  of  an 
adjacency  matrix,  which  has  the  same  complexity  as 
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that  of  matrix  multiplication.  We  build  data-oblivious 
algorithms  for  rank  computation  based  on  Gaussian  elim¬ 
ination  and  Gram-Schmidt  process,  the  complexity  of 
which  is  cubic  in  the  number  of  minutiae  in  fingerprints. 
While  it  is  possible  to  make  algorithms  of  lower  asymp¬ 
totic  complexity  (such  as  Strassen’s  matrix  multiplication 
and  its  extension  to  rank  computation  for  non-singular 
matrices)  data  oblivious,  such  algorithms  are  of  limited 
applicability  to  this  problem  because  of  larger  constants 
behind  the  big-O  notation  and  a  rather  low  number 
of  minutia  points  in  a  fingerprint.  Our  data-oblivious 
algorithms  consequently  lead  to  secure  fingerprint  au¬ 
thentication  or  identification  using  available  secure  two- 
party  and  multi-party  techniques.  Despite  having  more 
complex  computation  to  achieve  the  desired  accuracy,  we 
show  through  experiments  that  performance  of  our  tech¬ 
niques  is  suitable  for  this  application  and  is  comparable 
to  the  performance  of  other  secure  fingerprint  matching 
techniques  that  perform  simpler  minutia  matching  (and 
which  is  not  guaranteed  to  be  optimal). 
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